ssl与django gunicorn和nginx

Question

我目前正在通过https部署我的项目，但我遇到了一些问题。我有它与http一起工作，但是当我试图合并ssl它打破。我认为我错误地配置了我的nginx块中的gunicorn上游客户端，但我不确定。问题可以在我的gunicorn服务文件中的unix绑定中吗？我对gunicorn很新，所以我有点迷路。

这是我的配置如下。

Gunicorn：

[Unit] 
Description=gunicorn daemon 
After=network.target 

[Service] 
Environment=PYTHONHASHSEED=random 
User=USER 
Group=www-data 
WorkingDirectory=/path/to/project 
ExecStart=/path/to/project/project_env/bin/gunicorn --workers 3 --bind unix:/path/to/project/project.sock project.wsgi:application 

[Install] 
WantedBy=multi-user.target 

Nginx的（工作-HTTP）：

server { 
    listen 80 default_server; 
    listen [::]:80 default_server; 
    server_name server_domain; 

    location = /favicon.ico { access_log off; log_not_found off; } 

    location /static/ { 
     root /path/to/project; 

    } 

    location/{ 
     include proxy_params; 
     proxy_pass http://unix:/path/to/project/project.sock; 
    } 

} 

Nginx的（HTTPS）：

upstream server_prod { 
    server unix:/path/to/project/project.sock fail_timeout=0; 
} 

server { 
     listen 80 default_server; 
     listen [::]:80 default_server; 
     server_name server_domain; 

} 

server { 
    server_name server_domain; 

    listen 443; 

    ssl on; 
    ssl_certificate /etc/ssl/server_domain.crt; 
    ssl_certificate_key /etc/ssl/server_domain.key; 

    location /static/ { 
    root /path/to/project; 

    } 

    location/{ 
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
     proxy_set_header X-Forwarded-Proto https; 
     proxy_set_header Host $http_host; 
     proxy_redirect off; 

     if (!-f $request_filename) { 
      proxy_pass http://server_prod; 
      break; 
     } 
    } 
} 

Answer 1

你gunicorn systemd单元文件看起来OK。你的nginx一般也可以。您发布的信息太少以获取适当的诊断信息。我猜你错过了将X-Forwarded-Proto标题传递给gunicorn，但它可能是别的。这里有一个nginx配置文件，适用于我：

upstream gunicorn{ 
    # fail_timeout=0 means we always retry an upstream even if it failed 
    # to return a good HTTP response (in case the Unicorn master nukes a 
    # single worker for timing out). 

    # for UNIX domain socket setups: 

    server unix:/path/to/project/project.sock fail_timeout=0; 

    # for TCP setups, point these to your backend servers 
    # server 127.0.0.1:9000 fail_timeout=0; 
} 
server { 
    listen 80; 
    listen 443 ssl http2; 
    server_name server_domain; 
    ssl_certificate /etc/ssl/server_domain.crt; 
    ssl_certificate_key /etc/ssl/server_domain.key; 



    # path for static files 
    root /path/to/collectstatic/dir; 

    location/{ 
     # checks for static file, if not found proxy to app 
     try_files $uri @proxy_to_app; 
    } 

    location @proxy_to_app { 
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 

     # When Nginx is handling SSL it is helpful to pass the protocol information 
     # to Gunicorn. Many web frameworks use this information to generate URLs. 
     # Without this information, the application may mistakenly generate http 
     # URLs in https responses, leading to mixed content warnings or broken 
     # applications. In this case, configure Nginx to pass an appropriate header: 
     proxy_set_header X-Forwarded-Proto $scheme; 

     # pass the Host: header from the client right along so redirects 
     # can be set properly within the Rack application 
     proxy_set_header Host $http_host; 

     # we don't want nginx trying to do something clever with 
     # redirects, we set the Host: header above already. 
     proxy_redirect off; 


     # Try to serve static files from nginx, no point in making an 
     # *application* server like Unicorn/Rainbows! serve static files. 
     proxy_pass http://gunicorn; 
    } 


}